It’s About The Basics
Website Security (WordPress)
@PEREZBOX
• Sucuri, Inc.
– @sucuri_security
– @perezbox
• Specialization:
– Website Security
– Incident Handling
• Special...
• Website Security Company
• Global Operations
• Platform Agnostic (i.e., WordPress, Joomla, etc..)
• Scan 2M Unique Domai...
Statistics
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
4
2013 – Year of the Mega Breach
Data Breaches (Millions)
2011 2013
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
5
Anatomy of Malicious Websites
Malicious Websites
Legitimate Websites
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
6
Legitimate Websites
Not-Exploitable
Exploitable
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
7
1 in 8 - Critical Vu...
Ransomware Explosion
Ransomware
2012 2013
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
8
Malware Distribution
26%
19%
16%
14%
11%
4%
10%
Remote iFrame
Includes
Remote
JavaScript
Includes
SPAM Injections Obfuscat...
Understanding Hackers
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
10
Anatomy of Website Attacks
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
11
 Use for malware?
 Pat of a zombie net...
Five Stages of an Attack
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
12
Automated Attacks
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
13
 Exploiting Access Control
Distribution Mechanism
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
14
There’s a Tool for that
• Malware as a Service
(MaaS)
– Yes, pay someone to
hack for you
• Different tools to break
in and...
Why?
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
16
Impacts To You
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
17
Beyond The Application Layer
• Going Deeper than the application layer, targeting the server.
• Server Polymorphism – a.k....
Phishing Lures
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
19
Exploiting Forms
• Stick With Reputable
Sources
• Generating SPAM
emails, resource hogs
• IP blacklisting
5/17/2014
Tony P...
Search Engine Poisoning (SEP)
• Pharmacy
• Payday Loans
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
21
Blacklisting
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
22
Drive By Downloads
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
23
Brute Force Attacks
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
24
Denial of Service (DOS)
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
25
Brute Force vs Denial of Service
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
26
Trust Erosion
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
27
Free is not always Free
• http://blog.sucuri.net/2014/03/unmasking-free-premium-
wordpress-plugins.html
5/17/2014
Tony Per...
Don’t Worry, Everyone is a “Target”
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
29
Defenses
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
30
Biggest Weakness / Vulnerability
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
31
It’s About Good Posture
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
32
Starts With Expectations
“It’s about risk reduction… risk will never be
zero…”
5/17/2014
Tony Perez | @perezbox |
@sucuri_...
Defense in Depth
“…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information...
Layered Defenses
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
35
Protection Detection
Auditing Sustainment
Access – P@ssw0rd
• Passwords
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
36
Complex – Long - Unique
Enforce Strong Credentials
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
37
Push the Access Boundaries
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
38
• https://getclef.com/ | @getclef
Principle of Least Privileged
“requires that in a particular abstraction layer
of a computing environment, every module
(s...
Understand Your Roles
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
40
Hardening – Kill PHP
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
41
 PHP Execution, disable it:
 /wp-includes
 ...
Disable Plugin / Theme Editor
• WP-CONFIG File Modification
#Disable Plugin / Theme Editor
Define(‘DISALLOW_FILE_EDIT’,tru...
Brute Force Attacks
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
43
Please Backup
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
44
Software Vulnerabilities
• Stay current with the latest vulnerabilities:
– Secure - http://wordpress.org/plugins/secure/
5...
Brute Force Protection
• Local Protection
– https://bruteprotect.com/ | @BruteProtect
5/17/2014
Tony Perez | @perezbox |
@...
Stay Current (Update)
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
47
Website Firewalls
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
48
• Stay ahead of Software Vulnerabilities
Ensure Integrity of Connection
5/17/2014
Tony Perez | @perezbox |
@sucuri_security
49
• https://www.getcloak.com/ | @getcl...
Simple Steps to Reduce Risk
1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3. Filter Access by IP
4. Us...
Notable Resources
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck...
Sucuri, Inc.
Tony Perez
http://sucuri.net
http://blog.sucuri.net
@perezbox | @sucuri_security
http://www.slideshare.net/pe...
Upcoming SlideShare
Loading in …5
×

Website Security (WordPress) - It's About the Basics

880 views
769 views

Published on

Published in: Internet, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
880
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
13
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Website Security (WordPress) - It's About the Basics

  1. 1. It’s About The Basics Website Security (WordPress)
  2. 2. @PEREZBOX • Sucuri, Inc. – @sucuri_security – @perezbox • Specialization: – Website Security – Incident Handling • Special Interests: – Brazilian JiuJitsu 5/17/2014 Tony Perez | @perezbox | @sucuri_security 2
  3. 3. • Website Security Company • Global Operations • Platform Agnostic (i.e., WordPress, Joomla, etc..) • Scan 2M Unique Domains a Month • Block 4M web attacks a Month • Remediate 400 – 500 websites a day • Signature / Heuristic Based • 24/7 operations 5/17/2014 Tony Perez | @perezbox | @sucuri_security 3
  4. 4. Statistics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 4
  5. 5. 2013 – Year of the Mega Breach Data Breaches (Millions) 2011 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 5
  6. 6. Anatomy of Malicious Websites Malicious Websites Legitimate Websites 5/17/2014 Tony Perez | @perezbox | @sucuri_security 6
  7. 7. Legitimate Websites Not-Exploitable Exploitable 5/17/2014 Tony Perez | @perezbox | @sucuri_security 7 1 in 8 - Critical Vulnerability
  8. 8. Ransomware Explosion Ransomware 2012 2013 5/17/2014 Tony Perez | @perezbox | @sucuri_security 8
  9. 9. Malware Distribution 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other 5/17/2014 Tony Perez | @perezbox | @sucuri_security 9
  10. 10. Understanding Hackers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 10
  11. 11. Anatomy of Website Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 11  Use for malware?  Pat of a zombie network?  Data breach? What kind of website do you have?
  12. 12. Five Stages of an Attack 5/17/2014 Tony Perez | @perezbox | @sucuri_security 12
  13. 13. Automated Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 13  Exploiting Access Control
  14. 14. Distribution Mechanism 5/17/2014 Tony Perez | @perezbox | @sucuri_security 14
  15. 15. There’s a Tool for that • Malware as a Service (MaaS) – Yes, pay someone to hack for you • Different tools to break in and generate payloads – Brute force and vulnerability exploits Malware Payloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 15
  16. 16. Why? 5/17/2014 Tony Perez | @perezbox | @sucuri_security 16
  17. 17. Impacts To You 5/17/2014 Tony Perez | @perezbox | @sucuri_security 17
  18. 18. Beyond The Application Layer • Going Deeper than the application layer, targeting the server. • Server Polymorphism – a.k.a highly adaptive / sophistication 5/17/2014 Tony Perez | @perezbox | @sucuri_security 18 Darkleech Cdork (Apache) Ebury (SSH) Email Server (SPAM) Heartbleed (OpenSSL)
  19. 19. Phishing Lures 5/17/2014 Tony Perez | @perezbox | @sucuri_security 19
  20. 20. Exploiting Forms • Stick With Reputable Sources • Generating SPAM emails, resource hogs • IP blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 20
  21. 21. Search Engine Poisoning (SEP) • Pharmacy • Payday Loans 5/17/2014 Tony Perez | @perezbox | @sucuri_security 21
  22. 22. Blacklisting 5/17/2014 Tony Perez | @perezbox | @sucuri_security 22
  23. 23. Drive By Downloads 5/17/2014 Tony Perez | @perezbox | @sucuri_security 23
  24. 24. Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 24
  25. 25. Denial of Service (DOS) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 25
  26. 26. Brute Force vs Denial of Service 5/17/2014 Tony Perez | @perezbox | @sucuri_security 26
  27. 27. Trust Erosion 5/17/2014 Tony Perez | @perezbox | @sucuri_security 27
  28. 28. Free is not always Free • http://blog.sucuri.net/2014/03/unmasking-free-premium- wordpress-plugins.html 5/17/2014 Tony Perez | @perezbox | @sucuri_security 28 - SEOPresser - Payload located: wp-content/plugins/seo-pressor(gratuit) - File: central.class.php - Flat Skins Pack Extension - Payload located: wp-content/restrict-content-pro/includes/ - File: sidebar.php - Restrict Content Pro - Paylaod located: wp-content/ubermenu-skins-flat
  29. 29. Don’t Worry, Everyone is a “Target” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 29
  30. 30. Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 30
  31. 31. Biggest Weakness / Vulnerability 5/17/2014 Tony Perez | @perezbox | @sucuri_security 31
  32. 32. It’s About Good Posture 5/17/2014 Tony Perez | @perezbox | @sucuri_security 32
  33. 33. Starts With Expectations “It’s about risk reduction… risk will never be zero…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 33 Posture Risk
  34. 34. Defense in Depth “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 34
  35. 35. Layered Defenses 5/17/2014 Tony Perez | @perezbox | @sucuri_security 35 Protection Detection Auditing Sustainment
  36. 36. Access – P@ssw0rd • Passwords 5/17/2014 Tony Perez | @perezbox | @sucuri_security 36 Complex – Long - Unique
  37. 37. Enforce Strong Credentials 5/17/2014 Tony Perez | @perezbox | @sucuri_security 37
  38. 38. Push the Access Boundaries 5/17/2014 Tony Perez | @perezbox | @sucuri_security 38 • https://getclef.com/ | @getclef
  39. 39. Principle of Least Privileged “requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.” 5/17/2014 Tony Perez | @perezbox | @sucuri_security 39
  40. 40. Understand Your Roles 5/17/2014 Tony Perez | @perezbox | @sucuri_security 40
  41. 41. Hardening – Kill PHP 5/17/2014 Tony Perez | @perezbox | @sucuri_security 41  PHP Execution, disable it:  /wp-includes  /wp-content ▪ /themes ▪ /plugins ▪ /uploads <Files *.php> Deny from all </Files>
  42. 42. Disable Plugin / Theme Editor • WP-CONFIG File Modification #Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true); 5/17/2014 Tony Perez | @perezbox | @sucuri_security 42
  43. 43. Brute Force Attacks 5/17/2014 Tony Perez | @perezbox | @sucuri_security 43
  44. 44. Please Backup 5/17/2014 Tony Perez | @perezbox | @sucuri_security 44
  45. 45. Software Vulnerabilities • Stay current with the latest vulnerabilities: – Secure - http://wordpress.org/plugins/secure/ 5/17/2014 Tony Perez | @perezbox | @sucuri_security 45
  46. 46. Brute Force Protection • Local Protection – https://bruteprotect.com/ | @BruteProtect 5/17/2014 Tony Perez | @perezbox | @sucuri_security 46
  47. 47. Stay Current (Update) 5/17/2014 Tony Perez | @perezbox | @sucuri_security 47
  48. 48. Website Firewalls 5/17/2014 Tony Perez | @perezbox | @sucuri_security 48 • Stay ahead of Software Vulnerabilities
  49. 49. Ensure Integrity of Connection 5/17/2014 Tony Perez | @perezbox | @sucuri_security 49 • https://www.getcloak.com/ | @getcloak
  50. 50. Simple Steps to Reduce Risk 1. Employ Website Firewall 2. Don’t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 5/17/2014 Tony Perez | @perezbox | @sucuri_security 50 1. Connect Securely – SFTP / SSH 2. Authentication Keys / wp- config 3. Use Trusted Sources 4. Use a local Antivirus – MAC too 5. Permissions - D 755 | F 644 6. Least Privileged Principles 7. Accountability 8. Backups – Include Database Ideal implementations:The Bare Minimum:
  51. 51. Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked WordPress Hardening http://codex.wordpress.org/Hardening_WordPress 5/17/2014 Tony Perez | @perezbox | @sucuri_security 51
  52. 52. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net @perezbox | @sucuri_security http://www.slideshare.net/perezbox/website-security- wordpress-its-about-the-basics 5/17/2014 Tony Perez | @perezbox | @sucuri_security 52

×